Post navigation

Security Theater and Transparency

[With apologies to my grandmothers, some of the most insightful people I’ve known.]

When you want to build a publicly accountable secure system, must you build to the lowest common denominator? The key example is, of course, voting. It’s clear that you have to build the user interface to the lowest common denominator: given minimal direction, anyone should be able to vote. But must the audit/security process be equally “dumbed down?”

Most election activists (Bev Harris, Black Box Voting, Open Voting Consortium, etc..) clearly answer “yes.” Yes, my grandma needs to understand every security aspect of the entire voting system. I’ve even had an argument on the OVC mailing list on the meaning of the word “transparent.” Some election activists have, in a way, hijacked the word “transparency” to mean “understandable by the average person,” regardless of how much effort the average person is willing to make, or how much pre-existing knowledge the average person has. In other words, a completely documented system that requires an understanding of high school algebra would, by this definition, not be transparent, since most people don’t understand algebra.

So what happens if you can’t get true security that fits this constraint? What if the algebra really is necessary to achieve the right level of auditing and security, but you simply refuse to use it? Then you get a system that looks secure to the average person, but that has little to do with real security. This is security inspired by the Transportation Security Administration (TSA), the folks who force 5 year-olds to to take off their shoes at the airport.

Security experts often explain that the TSA security measures are pure theater. A no-fly list sounds great to the average person, but it simply doesn’t help, especially once it’s widely announced and the terrorists can easily get fake identification. Forcing everyone to pack 3oz toothpaste bottles because of “liquid explosives” sounds insightful, but top chemists in this country still don’t see how a bomb could be assembled in flight from 8oz of anything that doesn’t already alert the bomb-sniffing dogs. The TSA puts on security theater, so that the average person is reassured. Security theater has everything to do with perception, and nothing to do with reality. And that’s what you get when you’re trying to do security that the average person understands.

In the voting field, we have a similar brand of security theater: the widespread misconception that we should just hand-count ballots, because, clearly, to the average person, that sounds a lot more secure and publicly verifiable than some other complex scheme. But studies show that, because of the complexity of our ballot, unintended human tallying mistakes occur far more often than the average person’s intuition would indicate. And, to anyone familiar with quality control processes, the ballot chain-of-custody is a reliability nightmare: how does one check that no one has tampered with a ballot box full of de-identified ballots that no one can look at during the 24 crucial hours where low-wage, minimally trained election workers are entirely responsible for them?

Now, to be fair, today’s touch-screen voting machines are worse: they suffer from most of the same issues as hand-counted paper ballots, and provide less transparency: the source code isn’t even available for review!

But the important detail that many voting activists sweep under the rug is Open-Audit Voting. Open-Audit Voting is a truly revolutionary approach that provides every voter with the equivalent of a ballot “tracking number”. At a high-level, this tracking number lets the voter come home and check (online or on the phone) that their ballot made it into the final tally. At a low level, the tracking number involves some fancy and fascinating cryptography that ensures that, even if all voting machines and officials are corrupt, they cannot alter the election result.

That is the true meaning of the word “transparent:” any voter can verify their vote and the overall tally. But a number of election activists disagree: if grandma can’t understand the crypto, then the system is supposedly not transparent. It has to feel right, and this complicated crypto doesn’t feel right, whereas hand counting feels right, never mind the pesky scientific studies that prove otherwise.

Take a step back for a second. If this attitude is justified here, then how can one complain about the anti-science approach of the Bush administration? After all, winter this year was awfully cold, I’m not so sure this global warming broohaha feels correct. Don’t show me charts, and graphs, and trends, and standard deviations: grandma thought this year was the coldest winter she’d felt in years!

So the key question is this: how do you build a transparent, publicly accountable system when the science required to understand it is more than the average person knows? That’s an interesting debate! Here’s what I (and many others before me) propose, as a definition of transparency:

A system is transparent if, given a reasonable amount of time and effort, a person with a college education can understand it. Then, those without the education, time, or willingness to understand it can consult with someone they trust who does understand it.

In other words, a system is transparent if all you need is knowledge. If you need privilege, e.g. being an employee of the vendor, then it’s not transparent. If all you need is knowledge and not privilege, then anyone can find someone they trust who’s had the time to look at the system and declare it secure.

I don’t expect everyone to understand the depth of Open-Audit Voting. But I do think that many of the election activists, if only they were willing to spend the time and effort, could understand it, could realize its amazing benefits, and then could give their thumbs up to their organizations saying “we trust this system.” It’s just a question of whether they want to go beyond their gut feeling and look at the science. The alternative is security theater.

In particular, you mention the problem of election failure, which is crucial. Interestingly, that’s one major area where open-audit systems shine. If you hand-count ballots, but you lose a ballot box (e.g. 2002, San Francisco, ballot boxes floating in the Bay), then what? Election officials will tell you that mistakes and problems happen all the time, and the biggest problem is that you can’t recover from them, you can barely even detect the problems. As a result, election officials typically hope for a clear, unambiguous winner (no matter what the party), so that no one needs to look too closely at their voting operations.

With open-audit voting, a failure is actually something you can investigate and often recover from. A voter who checks that their ballot made it into the tally using their tracking number can detect if their vote isn’t counted and complain, with court-acceptable proof (a digital signature, which has legal precedent.) An election official can tell if votes were handled incorrectly. And everyone can verify the tally process and provide clear evidence if an error occurs.

So, instead of the contrived three options you present, there’s at least one more option: build a voting system that can recover from failure. That’s what a few of us are trying to do.

In particular, you mention the problem of election failure, which is crucial. Interestingly, that’s one major area where open-audit systems shine. If you hand-count ballots, but you lose a ballot box (e.g. 2002, San Francisco, ballot boxes floating in the Bay), then what? Election officials will tell you that mistakes and problems happen all the time, and the biggest problem is that you can’t recover from them, you can barely even detect the problems. As a result, election officials typically hope for a clear, unambiguous winner (no matter what the party), so that no one needs to look too closely at their voting operations.

With open-audit voting, a failure is actually something you can investigate and often recover from. A voter who checks that their ballot made it into the tally using their tracking number can detect if their vote isn’t counted and complain, with court-acceptable proof (a digital signature, which has legal precedent.) An election official can tell if votes were handled incorrectly. And everyone can verify the tally process and provide clear evidence if an error occurs.

So, instead of the contrived three options you present, there’s at least one more option: build a voting system that can recover from failure. That’s what a few of us are trying to do.

In 1954, Thurgood Marshall, then the Chief Counsel for the NAACP, argued before the Supreme Court in the case of Brown v Board of Education. The NAACP won. Following that win, Thurgood Marshall, like many other well-educated people of the time, thought that the states would just integrate their schools.

A few years later, nine black students were selected to attend the 1957-58 school year at Central High School in Little Rock, Arkansas. The Governor of Arkansas, Orval Faubus, called out the Arkansas National Guard. The rest, as they say, is history.

The point of this little story? “Political power flows from the barrel of a gun.”

You can call me misinformed all you like. But the attitude you’re expressing reminds me a little of Thurgood Marshall’s astonishment.

It’s probably impolitic for me to say this: I read your thesis. You put a lot of work into it. I expect you put a lot of heart into it. So, it pains me to tell you that I don’t think you’re working towards a politically practicable solution. I don’t know about you, but if someone told me that, I might be hurt or I might get mad. Maybe a little of both. So, you have my apologies.

In 1954, Thurgood Marshall, then the Chief Counsel for the NAACP, argued before the Supreme Court in the case of Brown v Board of Education. The NAACP won. Following that win, Thurgood Marshall, like many other well-educated people of the time, thought that the states would just integrate their schools.

A few years later, nine black students were selected to attend the 1957-58 school year at Central High School in Little Rock, Arkansas. The Governor of Arkansas, Orval Faubus, called out the Arkansas National Guard. The rest, as they say, is history.

The point of this little story? “Political power flows from the barrel of a gun.”

You can call me misinformed all you like. But the attitude you’re expressing reminds me a little of Thurgood Marshall’s astonishment.

It’s probably impolitic for me to say this: I read your thesis. You put a lot of work into it. I expect you put a lot of heart into it. So, it pains me to tell you that I don’t think you’re working towards a politically practicable solution. I don’t know about you, but if someone told me that, I might be hurt or I might get mad. Maybe a little of both. So, you have my apologies.

Don’t be pained, I’m neither hurt nor angry nor crying in a corner. Because I’ve spent some time in academia, some people assume that I have no idea how the real world works. Or they assume that I would use the exact same approach when writing a cryptography PhD dissertation and when educating the public about interesting new technology. You’re not the first.

I do find it interesting that you continually associate “well-educated” with “impractical.” Sadly, it has become a common trait among activists, and not just in the voting world. There seems to be disdain for education. Certainly, there is always a risk that too much theory will impede practice. But to assume that theory, reasoning, and intellectual debate are inherently bad…. that’s reminiscent of the current US administration, only with a different evidence-free ideology.

Don’t be pained, I’m neither hurt nor angry nor crying in a corner. Because I’ve spent some time in academia, some people assume that I have no idea how the real world works. Or they assume that I would use the exact same approach when writing a cryptography PhD dissertation and when educating the public about interesting new technology. You’re not the first.

I do find it interesting that you continually associate “well-educated” with “impractical.” Sadly, it has become a common trait among activists, and not just in the voting world. There seems to be disdain for education. Certainly, there is always a risk that too much theory will impede practice. But to assume that theory, reasoning, and intellectual debate are inherently bad…. that’s reminiscent of the current US administration, only with a different evidence-free ideology.

I’d challenge you on the assertion that studies have shown that people make mistakes when counting. There are two studies that I know of that are relevant here and they only apply to a relatively narrow set of circumstances… and they’re both based on observations rather than controled experiments. We definitely need more experimental work with hand-counting methods to tease out some of these issues. For example, I’m convinced that there are methods of doing hand counts that result in very very low error rates… but I don’t have the time, resources, etc. to do that work (and election officials I know that have submitted a proposal to do this work were recently denied funding for it).

I’d challenge you on the assertion that studies have shown that people make mistakes when counting. There are two studies that I know of that are relevant here and they only apply to a relatively narrow set of circumstances… and they’re both based on observations rather than controled experiments. We definitely need more experimental work with hand-counting methods to tease out some of these issues. For example, I’m convinced that there are methods of doing hand counts that result in very very low error rates… but I don’t have the time, resources, etc. to do that work (and election officials I know that have submitted a proposal to do this work were recently denied funding for it).